Authorization endpoint bypasses CORS middleware


#1

This post was flagged by the community and is temporarily hidden.


#2

Yes, you can set origin in your client to allow certain origins for certain clients. The API docs should have more info on that.


#3

Ah, I now see it inside the schema definition for clients, will give it a try. Thanks!


#4

Unfortunately it doesn’t work or I am doing something wrong. After reading the documentation of allowed_cors_origins again it explicitly mentions the token endpoint while I am talking about the authorization endpoint.

My Environment contains

  • CORS_ENABLED=true
  • CORS_DEBUG=true
  • CORS_ALLOWED_ORIGINS=*

which I had hoped to be enough. I now have also explicitly enabled allowed_cors_origins for the client and set it to relying party1 - but still I see

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://auth.redacted/oauth2/auth?response_type=code&client_id=party2_client&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing

in the Javascript console (and curl or whatever). What you describe seems to be performed by corsMiddleware passed into SetRoute but it is explicitly not used in https://github.com/ory/hydra/blob/master/oauth2/handler.go#L173

Finally my logs show

[cors] 2018/12/07 17:06:54 Handler: Actual request
[cors] 2018/12/07 17:06:54   Actual request no headers added: missing origin
time="2018-12-07T17:06:54Z" level=info msg="started handling request" method=GET remote="10.244.2.1:43476" request=/health/alive
time="2018-12-07T17:06:54Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=210398 method=GET remote="10.244.2.1:43476" request=/health/alive status=200 text_status=OK took="210.398µs"
time="2018-12-07T17:06:55Z" level=info msg="started handling request" method=GET remote=10.244.1.133 request=/.well-known/openid-configuration request_id=4a3fc9ae1f4e570ac1c74c243224b8b9
[cors] 2018/12/07 17:06:55 Handler: Actual request
[cors] 2018/12/07 17:06:55   Actual request no headers added: missing origin
time="2018-12-07T17:06:55Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=281999 method=GET remote=10.244.1.133 request=/.well-known/openid-configuration request_id=4a3fc9ae1f4e570ac1c74c243224b8b9 status=200 text_status=OK took="281.999µs"
time="2018-12-07T17:06:55Z" level=info msg="started handling request" method=GET remote=84.148.245.51 request="/oauth2/auth?response_type=code&client_id=party2&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline" request_id=b76b7da655612a5f61e802cb0b936645
time="2018-12-07T17:06:55Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=8590350 method=GET remote=84.148.245.51 request="/oauth2/auth?response_type=code&client_id=party2&state=eb4a35c2d57b232d6b9b5b1911242024&redirect_uri=https%3A%2F%2Fredacted%2Fredirect_uri&nonce=5cff77576fe13fe21588186e649ffafa&scope=openid%20offline" request_id=b76b7da655612a5f61e802cb0b936645 status=302 text_status=Found took=8.59035ms
[cors] 2018/12/07 17:06:56 Handler: Actual request
[cors] 2018/12/07 17:06:56   Actual request no headers added: missing origin
time="2018-12-07T17:06:56Z" level=info msg="started handling request" method=GET remote="10.244.2.1:43550" request=/health/ready
time="2018-12-07T17:06:56Z" level=info msg="completed handling request" measure#https://auth.redacted.latency=251799 method=GET remote="10.244.2.1:43550" request=/health/ready status=200 text_status=OK took="251.799µs"

so you can see the cors middleware doesn’t log anything for the /oauth2/auth request while it is active on discovery and health.

Edit: this is 1.0.0rc3


#5

Can you show the client config? Feel free to redact sensitive info


#6

Sure

{
  "client_id":"party2_client",
  "client_name":"Backend Client",
  "client_secret":"***",
  "redirect_uris":["https://party2/redirect_uri"],
  "grant_types":["authorization_code","refresh_token"],
  "response_types":["code"],
  "scope":"openid offline",
  "audience":null,
  "owner":"",
  "policy_uri":"",
  "allowed_cors_origins": ["https://party1"],
  "tos_uri":"",
  "client_uri":"",
  "logo_uri":"",
  "contacts":null,
  "client_secret_expires_at":0,
  "subject_type":"public",
  "token_endpoint_auth_method":"client_secret_basic",
  "userinfo_signed_response_alg":"none"
}

#7

Is "allowed_cors_origins": ["https://party1"], the right source URL? Have you tried * here? And feel free to move this over to GitHub as this seems to be a proper issue (and it’s easier to track there)


#8

Yes, it is the proper origin, I will try using * explicitly (deployment takes a bit of time, so please bear with me).

I started here as I wasn’t sure whether it is a big or there was a good reason Hydra behaves the way it does. Will open an issue.


#9

What seems weird is that there is no debug message, this should work. Are you using serve all or two separate commands?


#10

I’m using serve all - using * didn’t change anything, BTW.

For now I’m creating a simple docker based test case and will add it to the issue I’m creating.


#11

Ok, strange - can you open an issue on GitHub (I’m away over the weekend)? Can you also check if you’re seeing two messages CORS Enabled on start up?


#12

Github Issue 1211 (the forum software says I cannot post a link to that host, seem to be some kind of hiccup).

enjoy your weekend and thanks so far :slight_smile:


#13

Oh, and if anybody could explain why my post was flagged as spam “by multiple community members” I’ll be happy to change whatever is needed. Unfortunately I have no idea. In any case I’d like to apologize if I’m violating any rules.


#14

It was? Man, the flagging system is really sh*t here. Constantly bans/mutes people for no reason…


#15

The system flagged it as spam, no real person. I have no idea how to unflag it…


#16

It flagged you because you posted multiple links to GitHub…I increased the post threshold and added github to the whitelist, sorry about that!


#17

Don’t worry.

The message that told me the post was hidden said “Multiple community members flagged this post before it was hidden,” that’s what the phrase in my message stemmed from. I figured it must have been the github links when the system later told me I couldn’t post a link to that host.

At least I now know to avoid using discourse for my own projects :wink: